samba - Feb 2018 - Samba Migration and AD integration

Hi,

We migrated from Samba 3 to 4 (4.6.7-Ubuntu) and added promoted a Server 2008R2
as a Domain Controller. We've come across the following issues and request
some suggestions to resolve them


-          The migration didn't generate DNS entries for the new realm. We
had to manually create a new zone file (/var/cache/bind) for the new realm. Only
then we were able to promote the Server2008 R2 as the DC. Is this an expected
outcome post migration?

-          Similarly, the dhcpd.conf file exhibited the same outcome as above.

-          When we added a new machine to the domain, it didn't update the
DNS record in the Samba box.  The machine joins to the domain but there is no
DNS record for it.

-          We added the DNS role in the Server2008 R2 DC, what we found that any
record created in Bind9 gets replicated to the Windows server but no vice-versa.

The AD user bit seems to sync ok between the servers.

The samba-tool dbcheck -cross-ncs gives the following


samba-tool dbcheck --cross-ncs
Checking 3835 objects
ERROR(<type 'exceptions.ValueError'>): uncaught exception - unable
to parse dn string
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dbcheck.py",
line 157, in run
    controls=controls, attrs=attrs)
  File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line
198, in check_database
    error_count += self.check_object(object.dn, attrs=attrs)
  File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line
1839, in check_object
    expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))


smb.conf

[global]
        netbios name = TEST
        realm = TESTDC
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = TESTDC
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/testdc/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No




Regards,

Praveen Ghimire

> The migration didn't generate DNS entries for the new realm. 
> We had to manually create a new zone file (/var/cache/bind)
That does not look right.
Dont use BIND9_FLATE file zones. 

Start reading here.
https://wiki.samba.org/index.php/The_Samba_AD_DNS_Back_Ends 

Greetz, 

Louis



 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Praveen Ghimire via samba
> Verzonden: dinsdag 6 februari 2018 4:05
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba Migration and AD integration
> 
> Hi,
> 
> We migrated from Samba 3 to 4 (4.6.7-Ubuntu) and added 
> promoted a Server 2008R2 as a Domain Controller. We've come 
> across the following issues and request some suggestions to 
> resolve them
> 
> 
> -          The migration didn't generate DNS entries for the 
> new realm. We had to manually create a new zone file 
> (/var/cache/bind) for the new realm. Only then we were able 
> to promote the Server2008 R2 as the DC. Is this an expected 
> outcome post migration?
> 
> -          Similarly, the dhcpd.conf file exhibited the same 
> outcome as above.
> 
> -          When we added a new machine to the domain, it 
> didn't update the DNS record in the Samba box.  The machine 
> joins to the domain but there is no DNS record for it.
> 
> -          We added the DNS role in the Server2008 R2 DC, 
> what we found that any record created in Bind9 gets 
> replicated to the Windows server but no vice-versa.
> 
> The AD user bit seems to sync ok between the servers.
> 
> The samba-tool dbcheck -cross-ncs gives the following
> 
> 
> samba-tool dbcheck --cross-ncs
> Checking 3835 objects
> ERROR(<type 'exceptions.ValueError'>): uncaught exception - 
> unable to parse dn string
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/dbcheck.py", 
> line 157, in run
>     controls=controls, attrs=attrs)
>   File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", 
> line 198, in check_database
>     error_count += self.check_object(object.dn, attrs=attrs)
>   File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", 
> line 1839, in check_object
>     expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))
> 
> 
> smb.conf
> 
> [global]
>         netbios name = TEST
>         realm = TESTDC
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, 
> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = TESTDC
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/testdc/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> 
> 
> 
> Regards,
> 
> Praveen Ghimire
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Tue, 2018-02-06 at 03:05 +0000, Praveen Ghimire via samba
wrote:
> Hi,
> 
> We migrated from Samba 3 to 4 (4.6.7-Ubuntu) and added promoted a
> Server 2008R2 as a Domain Controller. We've come across the following
> issues and request some suggestions to resolve them
> 
> 
> -          The migration didn't generate DNS entries for the new
> realm. We had to manually create a new zone file (/var/cache/bind)
> for the new realm. Only then we were able to promote the Server2008
> R2 as the DC. Is this an expected outcome post migration?
I think you have not understood how AD DNS works.  It won't create a
zone file, it will create entries in the replicated DB that you can see
over LDAP.  By default the internal DNS server is used, but a DLZ
plugin for bind9 can also be used. 

Run samba_dnsupgrade --backend=BIND9_DLZ and follow the instructions if
you wish to used bind, rather than create a zone file. 
> -          Similarly, the dhcpd.conf file exhibited the same outcome
> as above.
Samba doesn't control dhcpd, but instructions for that are on the wiki.
> -          When we added a new machine to the domain, it didn't
> update the DNS record in the Samba box.  The machine joins to the
> domain but there is no DNS record for it.
If Samba's DNS isn't used then dynamic updates wont work. 
> -          We added the DNS role in the Server2008 R2 DC, what we
> found that any record created in Bind9 gets replicated to the Windows
> server but no vice-versa.
While I wouldn't exactly expect this if you were not using Samba for
DNS on the Samba server, I think that is at the heart of your trouble. 
> The AD user bit seems to sync ok between the servers.
> 
> The samba-tool dbcheck -cross-ncs gives the following
> 
> 
> samba-tool dbcheck --cross-ncs
> Checking 3835 objects
> ERROR(<type 'exceptions.ValueError'>): uncaught exception -
unable to
> parse dn string
>   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/dbcheck.py",
> line 157, in run
>     controls=controls, attrs=attrs)
>   File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py",
line
> 198, in check_database
>     error_count += self.check_object(object.dn, attrs=attrs)
>   File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py",
line
> 1839, in check_object
>     expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))
> 
> 
> smb.conf
> 
> [global]
>         netbios name = TEST
>         realm = TESTDC
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = TESTDC
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
The fact that your realm has no dots in it and is the same as the
workgroup isn't a good start.  This may be a redaction, but I smell
trouble here. 
> [netlogon]
>         path = /var/lib/samba/sysvol/testdc/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
I hope the above helps,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Hi Andrew,

The realm infact has no dots, is this going be an issue? It is different to
workgroup. The details did get "Lost in Redaction"

Coming back to the DNS. When we did the domain migration , we used
--dns-backend=BIND9_DLZ. My assumption was it will stick to the BIND_DLZ.
Anyhow, when we use the default settings post migration, we are not able to
DCPROMO the Server 2008R2 server. It comes up with DNS record error,  more
specifically the SRV records for _ldap_tcp_dc_msdsc_(realmname).  Then if we
change the DNS to BIND9 using the dns_upgrade-backend=BIND9_DLZ, stick a zone
file with manually added SRV records, we are able to DCPROMO but then DNS( and
it turns out AD replication) issues. The AD replication issues is due to DNS not
replication and not copying the _msdsc_ zone file.

So what is the best option in  our case? Domain Prep/Migrate using BIND9_DLZ and
the stick to the SAMBA_DNS? One question is would  it help if we add the SRV
records to the /var/cache/bind/zone file pre migration? Will the migration read
that file and convert it to the DNS DB?

  Thank you.

Regards,

Praveen


-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, 6 February 2018 6:22 PM
To: Praveen Ghimire <PGhimire at sundata.com.au>; samba at lists.samba.org
Subject: Re: [Samba] Samba Migration and AD integration

On Tue, 2018-02-06 at 03:05 +0000, Praveen Ghimire via samba
wrote:
> Hi,
> 
> We migrated from Samba 3 to 4 (4.6.7-Ubuntu) and added promoted a 
> Server 2008R2 as a Domain Controller. We've come across the following 
> issues and request some suggestions to resolve them
> 
> 
> -          The migration didn't generate DNS entries for the new
> realm. We had to manually create a new zone file (/var/cache/bind) for 
> the new realm. Only then we were able to promote the Server2008
> R2 as the DC. Is this an expected outcome post migration?
I think you have not understood how AD DNS works.  It won't create a zone
file, it will create entries in the replicated DB that you can see over LDAP. 
By default the internal DNS server is used, but a DLZ plugin for bind9 can also
be used.

Run samba_dnsupgrade --backend=BIND9_DLZ and follow the instructions if you wish
to used bind, rather than create a zone file.
> -          Similarly, the dhcpd.conf file exhibited the same outcome
> as above.
Samba doesn't control dhcpd, but instructions for that are on the wiki.
> -          When we added a new machine to the domain, it didn't
> update the DNS record in the Samba box.  The machine joins to the 
> domain but there is no DNS record for it.
If Samba's DNS isn't used then dynamic updates wont work. 
> -          We added the DNS role in the Server2008 R2 DC, what we
> found that any record created in Bind9 gets replicated to the Windows 
> server but no vice-versa.
While I wouldn't exactly expect this if you were not using Samba for DNS on
the Samba server, I think that is at the heart of your trouble.
> The AD user bit seems to sync ok between the servers.
> 
> The samba-tool dbcheck -cross-ncs gives the following
> 
> 
> samba-tool dbcheck --cross-ncs
> Checking 3835 objects
> ERROR(<type 'exceptions.ValueError'>): uncaught exception -
unable to
> parse dn string
>   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/dbcheck.py",
> line 157, in run
>     controls=controls, attrs=attrs)
>   File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py",
line
> 198, in check_database
>     error_count += self.check_object(object.dn, attrs=attrs)
>   File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py",
line
> 1839, in check_object
>     expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))
> 
> 
> smb.conf
> 
> [global]
>         netbios name = TEST
>         realm = TESTDC
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = TESTDC
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
The fact that your realm has no dots in it and is the same as the workgroup
isn't a good start.  This may be a redaction, but I smell trouble here.
> [netlogon]
>         path = /var/lib/samba/sysvol/testdc/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
I hope the above helps,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

On Tue, 6 Feb 2018 03:05:18 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> We migrated from Samba 3 to 4 (4.6.7-Ubuntu) and added promoted a
> Server 2008R2 as a Domain Controller. We've come across the following
> issues and request some suggestions to resolve them
> 
> 
> -          The migration didn't generate DNS entries for the new
> realm. We had to manually create a new zone file (/var/cache/bind)
> for the new realm. Only then we were able to promote the Server2008
> R2 as the DC. Is this an expected outcome post migration?
> 
> -          Similarly, the dhcpd.conf file exhibited the same outcome
> as above.
> 
> -          When we added a new machine to the domain, it didn't
> update the DNS record in the Samba box.  The machine joins to the
> domain but there is no DNS record for it.
> 
> -          We added the DNS role in the Server2008 R2 DC, what we
> found that any record created in Bind9 gets replicated to the Windows
> server but no vice-versa.
> 
> The AD user bit seems to sync ok between the servers.
> 
Lets see if I understand correctly what you have done:

You had a Samba NT4-style domain and you have classic upgraded this to a Samba
AD domain

You were running Bind9 on the NT4-style PDC and you want to continue running it.

You were also running a DHCP server on the NT4-style PDC and you want to
continue running it.

Is all this correct, if not please describe your setup better.

Rowland

Hi Rowland,

Thank you.

Yes to the first point.

We are using Bind9 but to continue using it is not necessarily set in stone. If
using Samba Internal DNS makes more sense then we can do that too. The question
is do we need to do dns-upgrade and use Internal DNS, pre-migration?  Then use
internal dns during the classic migration?  Also, I assume the bind9 service
will have to stopped if infact we use the Internal DNS?

The DHCP is to stay with Samba server for now. Later on we can decide on moving
it to the Windows server.

Hope I've clearly explained the situation.



Regards,

Praveen Ghimire


-------- Original message --------
From: Rowland Penny via samba <samba at lists.samba.org>
Date: 6/02/2018 8:38 PM (GMT+10:00)
To: samba at lists.samba.org
Subject: Re: [Samba] Samba Migration and AD integration

On Tue, 6 Feb 2018 03:05:18 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:
> Hi,
>
> We migrated from Samba 3 to 4 (4.6.7-Ubuntu) and added promoted a
> Server 2008R2 as a Domain Controller. We've come across the following
> issues and request some suggestions to resolve them
>
>
> -          The migration didn't generate DNS entries for the new
> realm. We had to manually create a new zone file (/var/cache/bind)
> for the new realm. Only then we were able to promote the Server2008
> R2 as the DC. Is this an expected outcome post migration?
>
> -          Similarly, the dhcpd.conf file exhibited the same outcome
> as above.
>
> -          When we added a new machine to the domain, it didn't
> update the DNS record in the Samba box.  The machine joins to the
> domain but there is no DNS record for it.
>
> -          We added the DNS role in the Server2008 R2 DC, what we
> found that any record created in Bind9 gets replicated to the Windows
> server but no vice-versa.
>
> The AD user bit seems to sync ok between the servers.
>
Lets see if I understand correctly what you have done:

You had a Samba NT4-style domain and you have classic upgraded this to a Samba
AD domain

You were running Bind9 on the NT4-style PDC and you want to continue running it.

You were also running a DHCP server on the NT4-style PDC and you want to
continue running it.

Is all this correct, if not please describe your setup better.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________